Firefox and Safari prevent sites from eavesdropping on smartphone code with gyroscope

Apple and Mozilla have released a patch for an attack method that allows websites to listen to users’ PINs in the background via data from the gyroscope. Google has been hesitant to implement that fix, but fears it will restrict websites too much.

The patch is in iOS 9.3, which came out last March, and in Firefox 46. Chrome users are still vulnerable despite British researchers sharing their findings more than a year ago, British researchers note in a study into the dangers from eavesdropping on PIN codes via data from the gyroscope. The scientists notified browser makers before publishing their findings in February last year, and Apple and Mozilla took action within a short period of time.

The fix from Mozilla and Apple is that only websites that are in the foreground are allowed to read data from the gyroscope. This prevents websites from reading data from the gyroscope in the background and deducing which numbers the user has pressed – and therefore which PIN code he or she has on the smartphone. The researchers conducted an experiment last year in which, after five attempts, they always succeeded in listening to the correct PIN code using data from the gyroscope. This is because the pressure of the fingers in certain places on the screen causes a small movement in the phone that the gyroscope can read.

Chromium developers know about the attack method, but ultimately did not implement the fix. They feared that in the future, websites could do less with maps and videos that depend on data from sensors. They reason that we do not yet know what data they will need in the background in the future. Moreover, asking users for permission would be pointless, because they are less able to oversee the implications than with permission when using the camera or GPS.

It’s not the first time researchers have found ways to figure out what code users have on a smartphone. For example, there was previously a method via microphone and camera, while swipes on the screen are an indication when Android phone users use a pattern for the unlock. The rise of fingerprint scanners on smartphones makes such attacks less effective, because people enter a code much less often with them.